Static analysis CLI for Chrome Extension (.crx) packages. Built to help
malware analysts, threat hunters, and security researchers quickly assess
whether a browser extension is doing what it claims.
Parses CRX2/CRX3 formats, analyzes the manifest, scans JavaScript for suspicious patterns, detects embedded secrets, flags Chrome Debugger Protocol abuse, extracts hardcoded URLs, and produces a risk verdict.
pip install -e .Or from a clone:
git clone https://github.com/Jz8Root/crx-forensics.git
cd crx-forensics
pip install -e .Analyze a .crx file:
crx-forensics analyze extension.crxAnalyze an unpacked extension directory:
crx-forensics scan-dir path/to/unpacked/JSON output for scripting:
crx-forensics analyze --json extension.crx- Manifest — permission scoring, dangerous combos (MITM, cookie theft, CDP takeover), deprecated manifest v2, non-official update URLs, content script injection scope
- Code patterns — eval, Function constructor, keypress listeners, DOM injection, form scraping, dynamic script loading, WebSocket connections, clipboard access, obfuscator.io signatures
- Obfuscation — Shannon entropy per JS file (threshold: 6.0)
- Secrets — RSA private keys, AWS access keys, GitHub tokens, Stripe keys, Slack tokens, hardcoded passwords
- Chrome Debugger Protocol — chrome.debugger API calls, CDP domain commands (Runtime.evaluate, Network.enable, Input.dispatch, Fetch.enable, Page.captureScreenshot). This is a key differentiator — CDP abuse is the signature of advanced spying extensions like Cloud9 RAT and VenomSoftX
- Network — hardcoded URLs and domains, raw IP addresses, suspicious TLDs (.tk, .xyz, etc.)
- Risk scoring — weighted score (0-100) with verdict:
- MALICIOUS (60+): strong indicators like IP + obfuscation + credential theft
- SUSPICIOUS (40-59): patterns worth investigating
- LOW RISK (0-39): normal or expected patterns
| Code | Meaning |
|---|---|
| 0 | No critical or high findings |
| 1 | High findings present |
| 2 | Critical findings present |
| 3 | Input error (bad CRX, missing manifest) |
Useful for CI pipelines — block deployment if an extension has critical findings.
Tested against 24 real-world extensions including known malware samples, crypto wallets (MetaMask, TronLink), ad blockers (uBlock Origin, AdBlock Plus), password managers (Bitwarden), and developer tools (React DevTools, Postman).
Zero false positives at MALICIOUS level. Known-safe extensions score LOW RISK.
This is a static analysis tool, not a sandbox. It does not:
- Execute extension code
- Check code against known malware signatures (like AV engines)
- Verify that URLs/domains are actually malicious
- Replace manual review by a trained analyst
The risk score is a triage signal, not a final verdict. Extensions flagged SUSPICIOUS may be perfectly legitimate — review the individual findings.
pip install -e ".[dev]"
pytest
ruff check crx_forensics/ tests/This tool was inspired by published research on malicious Chrome extensions:
- DataSpii — massive data collection via browser extensions (2019)
- The Great Suspender — legitimate extension hijacked via ownership transfer (2021)
- ChromeLoader — malvertising campaign using malicious extensions (2022)
- Cloud9 RAT — botnet using Chrome extensions with CDP abuse (Zimperium, 2022)
- VenomSoftX — cryptocurrency clipboard hijacker via extensions (Avast, 2022)
- Rilide — banking credential stealer disguised as a browser extension (Trustwave, 2023)
MIT — see LICENSE.
Issues and discussions: GitHub Issues